CVE-2024-24779: Unauthorized Data Access Vulnerability in Apache Superset with Custom Roles and Insufficient Data Access Permissions
In this long-read post, we will delve into the details of CVE-2024-24779, a security vulnerability that affects Apache Superset, a popular open-source data exploration and visualization platform. We'll cover the vulnerability's scope, explain the exploit mechanism, and provide code snippets as well as links to original references. By the end of this post, you will gain a comprehensive understanding of this vulnerability and how to secure your Superset instances.
Affected Versions
This vulnerability has been identified in Apache Superset versions before 3..4 and 3.1. to 3.1.1. Users running these versions with custom roles and insufficient data access permissions could be affected. To mitigate the vulnerability, it is recommended that users upgrade to version 3.1.1 or 3..4, which contain the necessary fixes.
Vulnerability Overview
The core issue with CVE-2024-24779 lies in the permission hierarchies of Apache Superset when custom roles are defined. When a user has the role that has the can write on dataset permission, they can create virtual datasets without having full access permissions to the data. As a result, those users can leverage virtual datasets to gain unauthorized access to the data.
Exploit Mechanism
To exploit this vulnerability, an attacker first registers as a user and obtains the role with the can write on dataset permission. Then, they can create a virtual dataset by defining a SQL statement that queries the target data source. Since the user has the can write on dataset permission, they can save this virtual dataset and use it as a base to create unauthorized visualizations and dashboards on the platform.
Here's a code snippet that demonstrates the creation of a virtual dataset
from superset import db
from superset.connectors.sqla.models import SqlaTable
# Attacker defines a SQL statement that queries the unauthorized data source
sql_statement = "SELECT * FROM unauthorized_table"
# Create virtual dataset
virtual_dataset = SqlaTable(
table_name="virtual_dataset",
main_dttm_col="created_at",
schema="virtual",
sql=sql_statement,
fetch_values_predicate="",
)
# Save virtual dataset to Superset
db.session.add(virtual_dataset)
db.session.commit()
Links to Original References
- Apache Superset Official Website: https://superset.apache.org/
- CVE-2024-24779 Vulnerability Report: https://nvd.nist.gov/vuln/detail/CVE-2024-24779
- Apache Superset GitHub Repository: https://github.com/apache/superset
Mitigation and Remediation
To secure your Apache Superset instances, it is strongly recommended to upgrade to version 3.1.1 or 3..4, which contain the necessary security patches for this vulnerability.
When defining custom roles, ensure that data access permissions are properly configured so that users cannot create virtual datasets that allow unauthorized access to sensitive information.
To further enhance the security posture of your Apache Superset deployment, perform regular security audits of roles and permissions on an ongoing basis. Keep up to date with the latest security fixes and best practices by monitoring Apache Superset's official channels and community updates.
In conclusion, CVE-2024-24779 is a serious vulnerability that can allow unauthorized data access in Apache Superset instances with custom roles and improperly configured data access permissions. By upgrading to the patched versions and following security best practices, users can protect their data and maintain a secure environment.
Timeline
Published on: 02/28/2024 12:15:47 UTC
Last modified on: 02/28/2024 15:15:09 UTC